[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload



I mostly see the DHCP-over-IKE as a bits on the wire change from CP.  The
biggest differences between the two are:
1 - With DHCP backend DHCP-over-IKE does not necessarily require SGW to
store DHCP state while CP requires a DHCP client on the SGW per IKE-SA.
2 - DHCP-over-IKE extends the IKE_AUTH exchange, similar to what EAP does.
3 - With DHCP backend DHCP-over-IKE offers end to end DHCP which may be
useful for future DHCP options but I see no clear advantage today with
current DHCP.
4 - With non-DHCP backends there is little to no difference between the two
options.

DHCP-in-IKE will satisfy what I think IKEv2 needs for address assignment, I
don't know if the differences are significant enough to change things for
rev07.  I would like to know what others think.

I've included a pro/con list for the two I used to come up with the stuff
above, if you have more then add to this list.

Pro DHCP-over-IKE
~~~~~~~~~~~~~~~~~
+ Uses standard DHCP messages, and state machine on client
+ SGW may be able to be relatively stateless with DHCP backend (if DHCP
server supports the DHCP relay options)
+ Allows end to end DHCP client address assignment with DHCP server (may be
useful in the future but no current need)
+ Makes possible standard DHCP address re-assignment to local and remote
clients (only useful/likely in very small networks)
+ Integration with RADIUS and DHCP (LDAP, etc. should not be a big deal)

Con DHCP-over-IKE
~~~~~~~~~~~~~~~~~
- Minimum addition of 280 bytes to IKE messages, more options will make this
bigger.
- Extends IKE_AUTH exchange (but EAP does this too).
- When DHCPDISCOVER will be to an unauthenticated peer (true for CP as well
but DHCPDISCOVER may have many options that may be dangerous to give to an
attacker impersonating the SGW, recommend sending _minimal_ DHCPDISCOVER).

Pro CP
~~~~~~
+ Small payload size
+ Similar to IKEv1 modecfg
+ Integration with RADIUS and DHCP (LDAP, etc. should not be a big deal)

Con CP
~~~~~~
- No end to end DHCP negotiation, SGW must be DHCP client
- No DHCP standard way to assign the same address to clients when physically
on the LAN and when connecting via ipsec (Likely only useful in very small
LANs)
- Does not use DHCP state machine end to end may have future impact
- When a DHCP backend is used the SGW will need to actively communicate with
a DHCP server and keep DHCP client state

Darren

> -----Original Message-----
> From: owner-ipsec@xxxxxxxxxxxxxxxxx
> [mailto:owner-ipsec@xxxxxxxxxxxxxxxxx]On Behalf Of Theodore Ts'o
> Sent: Wednesday, April 09, 2003 5:19 PM
> To: ipsec@xxxxxxxxxxxxxxxxx
> Subject: CALL FOR DISCUSSION: DHCP over IKE vs Configuration Payload
>
>
>
> Last week on Thursday, Tero Kevinen has submitted three drafts (*) that
> define DHCP over IKE.  Comments to these documents are solicted, and
> thoughts about whether this approach is superior or inferior to the
> currently specified Configuration payload in ikev2-06 are hereby
> solicited.
>
> (*) Tero, go ahead and submit them as IPSEC wg I-D's --- Barbara and I
> will approve them as working group documents.
>